{ "id": "7ac50736-30b7-4af7-a112-2846be9327cb", "created_at": "2026-04-06T00:12:59.842267Z", "updated_at": "2026-04-10T03:36:13.870962Z", "deleted_at": null, "sha1_hash": "80ffb5ab6a8a5f2ce5a02f10a8b131b48d5b0672", "title": "“Tick” Group Continues Attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 653176, "plain_text": "“Tick” Group Continues Attacks\r\nBy Kaoru Hayashi\r\nPublished: 2017-07-25 · Archived: 2026-04-05 15:28:40 UTC\r\nThe “Tick” group has conducted cyber espionage attacks against organizations in the Republic of Korea and Japan\r\nfor several years. The group focuses on companies that have intellectual property or sensitive information like\r\nthose in the Defense and High-Tech industries. The group is known to use custom malware called Daserf, but also\r\nemploys multiple commodity and custom tools, exploit vulnerabilities, and use social engineering techniques.\r\nRegarding the command and control (C2) infrastructure, Tick previously used domains registered through privacy\r\nprotection services to keep their anonymity, but have moved to compromised websites in recent attacks. With\r\nmultiple tools and anonymous infrastructure, they are running longstanding and persistent attack campaigns. We\r\nhave observed that the adversary has repeatedly attacked a high-profile target in Japan using multiple malware\r\nfamilies for the last three years.\r\nTick Tools\r\nSymantec was first to publicly report on Tick, followed by LAC in 2016. These reports discussed the group’s\r\nmalware, Daserf (a.k.a Muirim or Nioupale) and some additional downloader programs. Though Daserf wasn't a\r\npopular attack tool at the time of publishing the two reports, it dates back to at least 2011. Using AutoFocus, we\r\nwere able to identify the link among Daserf and two other threats, 9002 and Invader. These threats shared\r\ninfrastructure between July 2012 and April 2013.\r\nFigure 1 Sharing C2 servers among threats\r\nInvader (a.k.a Kickesgo) is a backdoor that injects its main code into a legitimate process, such as explorer.exe,\r\nand has following functions:\r\nLogs keystrokes and mouse movement\r\nCaptures screenshots\r\nOpens cmd.exe shell\r\nEnumerates processes\r\nExecutes programs\r\nRemoves itself\r\nEnumerates all opening TCP and UDP ports\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/\r\nPage 1 of 10\n\n9002 is the infamous RAT frequently seen in targeted attacks reported by various security vendors, including Palo\r\nAlto Networks. Interestingly, the C2 servers linking 9002 to Daserf were described in the report of an Adobe Flash\r\nZero-day attack from FireEye in 2013. These domains were registered through the privacy protection services in\r\n2008 and 2011.\r\nkrjregh.sacreeflame[.]com\r\nlywja.healthsvsolu[.]com\r\nThough we don't know the targets of these malware samples at the time of writing this article, we suspect the same\r\ngroup is behind these threats for a number of reasons. The samples of Daserf that shared infrastructure were\r\nsubmitted to VirusTotal only from Japan multiple times in 2013. As noted in a later section, another Invader\r\nsample shared different C2 servers with Daserf. Symantec reported that Tick exploited additional Adobe Flash and\r\nMicrosoft Office vulnerabilities. SecureWorks said the adversary group is abusing a previously undisclosed\r\nvulnerability in Japanese Software Asset Management system on endpoints. Therefore, Tick or their digital\r\nquartermaster is capable of deploying new and unique exploits.\r\nMinzen and Nameless Backdoor\r\nIn July 2016, we identified a compromised website in Japan that was hosting a Daserf variant. The web server was\r\nalso a C2 server for another threat, Minzen (a.k.a, XXMM, Wali, or ShadowWali). The threat often uses\r\ncompromised web servers in Japan and the Republic of Korea.\r\nAs Kaspersky and Cybereason recently posted, Minzen is a modular malware that has both 32-bit and 64-bit\r\ncomponents in its resource section or configuration data in its body. One of the Minzen samples (SHA256:\r\n9374040a9e2f47f7037edaac19f21ff1ef6a999ff98c306504f89a37196074a2) found in the Republic of Korea in\r\nDecember 2016 installs simple backdoor module as a final payload on a compromised computer. It opens a TCP\r\nport and receives commands from a remote attacker. According to the debug path in the body, the author of the\r\ntool called it \"NamelessHdoor,\" and its internal version is identified as “V1.5.”\r\nFigure 2 Debug path left in the backdoor module in Minzen\r\nThe payload is based on \"Nameless Backdoor\" which has been publicly available for more than ten years. The\r\noldest code we could identify was hosted on a famous Chinese source code sharing site since 2005. The author of\r\nthe NamelessHdoor appears to have created additional versions of the Nameless Backdoor by removing\r\nunnecessary functions, and added open-source DLL injection code from ReflectiveDLLLoader.\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/\r\nPage 2 of 10\n\nFigure 3 Nameless Backdoor posted on Chinese Source File Sharing Site\r\nThere is minimal public information regarding the Nameless Backdoor, except for the interesting report from\r\nCyphort in 2015. The researcher of the company analyzed multiple threats, including Invader, Nioupale(Daserf)\r\nand Hdoor found in an attack against an Asian financial institution. We examined the sample described in the\r\nreport as Hdoor and found it's a previous version of the NamelessHdoor we discovered in the Minzen sample, but\r\nwithout support for DLL injection.\r\nFigure 4 Strings in NamelessHdoor sample found in 2015\r\nShared Infrastructure and Cipher Code with Custom Gh0st\r\nOther interesting samples in the report are dllhost.exe and Shell64.dll. We don't have the same files but found\r\npossible variants close to their description in the article. These include the following:\r\nExecutable files that connect to the same remote server, blog.softfix.co[.]kr:80, download a DLL file and\r\nexecute the 'lowmain' export function.\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/\r\nPage 3 of 10\n\nDLL files have 'lowmain' and 'main' exports.\r\nIt turned out that the DLL files we found are a custom variant of Gh0st RAT, and the EXE files download the\r\nRAT. Since the source code is publicly available, Gh0st RAT has been used by multiple actors for years.\r\nThe domain, softfix.co[.]kr was registered in 2014. One of subdomains, news.softfix.co[.]kr was the C2 server of\r\nDaserf (SHA256: 9c7a34390e92d4551c26a3feb5b181757b3309995acd1f92e0f63f888aa89423). Another\r\nsubdomain, bbs.softfix.co[.]kr was hosted on same IP address as bbs.gokickes[.]com, which was reported as the\r\nC2 server of Invader by Cyphort. We also identified www.gokickes[.]com was the C2 of another Invader variant\r\n(SHA256: 57e1d3122e6dc88d9eb2989f081de88a0e6864e767281d509ff58834928895fb).\r\nIn addition to the infrastructure, the attacker also shared code. The Gh0st downloaders employ simple substitution\r\nciphers for hiding strings.\r\nFigure 5 Decryption code in Gh0st Downloader\r\nThe cipher converts one character to another based on a substitution table, which can be seen below. As an\r\nexample, the character 'K' in plain text is changed to '5' in cipher text, 'h' is converted to 'j' and so on. The string\r\n'connect' was encoded to 'zF((0za' using this table.\r\nText characters\r\nplain text\r\nKhL9V1ds5Z\"QnfNC\u0026Fb8xGr-()\u003c\u003e[]{}|+THce;0%7Oiz#W DE6qS?\r\naw./BJlk,yUPjgI ^@$*tumYA'p2RoX=v_:M43\r\ncipher\r\ntext\r\n5j2Cnx^@$*(){}|+mX k3DK'LGchHNPgZ,z0T8_sRU7)\u003c\u003e\"[lBpdfI#%bu;yt-YeoW?\r\n4vAMQVa.6qJi:=wFO9\u0026/1ESr\r\nTable 1 Substitution Table used in Gh0st Downloader\r\nThe following Python script can decipher the encoded string.\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/\r\nPage 4 of 10\n\nplaintext = \"KhL9V1ds5Z\\\"QnfNC\u0026amp;Fb8xGr-()\u0026lt;\u0026gt;[]{}|+THce;0%7Oiz#W DE6qS?\r\naw./BJlk,yUPjgI\\`^@$*tumYA'p2RoX=v_:M43\"\r\nciphertext = \"5j2Cnx\\`^@$*(]{}|+mX k3DK'LGchHNPgZ,z0T8_sRU7)\u0026lt;\u0026gt;\\\"[lBpdfI#%bu;yt-YeoW?\r\n4vAMQVa.6qJi:=wFO9\u0026amp;/1ESr\"\r\nenc_string = \"zF((0za\"\r\ndec_strings = ''\r\nfor c in enc_string:\r\ndec_strings += plaintext[ciphertext.find(c)]\r\nprint dec_strings\r\nThe exact same table for simple substitution cipher is used in a variant of Daserf (SHA256:\r\n01d681c51ad0c7c3d4b320973c61c28a353624ac665fd390553b364d17911f46). We also found a very similar table\r\nin other Tick tools. Since the strings are unique to these threats, we believe a developer linked to the group built\r\nthese tools. Because of the shared domains and code, we believe the incident reported by Cyphort have ties to\r\nTick. The following tables were identified for their associated malware samples:\r\nMinzen (SHA256:26727d139b593486237b975e7bdf93a8148c52d5fb48d5fe540a634a16a6ba82):\r\nplain text  = \"5j2Cnx`^@$*(]{}|+mX k3DK'LGc!hHNPgZ,z0T8_sRU7)\u0026lt;\u0026gt;\"[lBpdfI#%bu;yt-YeoW?\r\n4vAMQVa.6qJi:=wFO9\u0026amp;/1ESr\"\r\ncipher text = \"KhL9V1ds5Z\"QnfNC\u0026amp;Fb8xGr-()\u0026lt;\u0026gt;[]{}|+THce;0%7O!iz#W DE6qS?\r\naw./BJlk,yUPjgI`^@$*tumYA'p2RoX=v_:M43\"\r\nDatper (SHA256: 7d70d659c421b50604ce3e0a1bf423ab7e54b9df361360933bac3bb852a31849):\r\nplain text  = \"KhL9V1ds5Z\"QnfNC\u0026amp;Fb8xGr-()\u0026lt;\u0026gt;[]{}|+THce;0%7O!iz#W DE6qS?\r\naw./BJlk,yUPjgI`^@$*tumYA'p2RoX=v_:M43\"\r\ncipher text = \"5j2Cnx`^@$*(]{}|+mX k3DK'LGc!hHNPgZ,z0T8_sRU7)\u0026lt;\u0026gt;\"[lBpdfI#%bu;yt-YeoW?\r\n4vAMQVa.6qJi:=wFO9\u0026amp;/1ESr\"\r\nSpearphishing Email with Patched File Encryption Program\r\nWe also identified another malware family, HomamDownloader, sharing some servers with Daserf. An overview\r\nof the connections among these threats is discussed in below.\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/\r\nPage 5 of 10\n\nFigure 6 Links among threats and servers\r\nHomamDownloader is a small downloader program with minimal interesting characteristics from a technical point\r\nof view. HomamDownloader was discovered to be delivered by Tick via a spearphishing email. The adversary\r\ncrafted credible email and attachment after understanding the targets and their behavior.\r\nThe email below was sent from a personal email account with a subject line of “New Year Wishes on January 1st”.\r\nThe message asked the recipient to rename the attachment extension from “._X_” to “.exe” and opening it with the\r\npassword specified in the email to view the Happy New Year eCard in the correct and polite language.\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/\r\nPage 6 of 10\n\nFigure 7 Spearphishing Email with HomamDownloader\r\nThe image above is translated to the following in English:\r\nDear XXXX,\r\nHeartfelt Greetings for the New Year.\r\nThank you very much for your support over the past year.\r\nI will greatly appreciate your further guidance and encouragement.\r\nWould you please change the file extension of the attachment from \"._X_\" to \".exe\" and open it?\r\nPassword is \"nengajyo\".\r\nFor those who are not familiar with Japanese companies, the email must look suspicious, especially given that the\r\nexecutable file attachment has the incorrect file extension. However, this may look legitimate in some cases. Many\r\nJapanese companies introduced a file encryption system for secure data exchange over email. The system encrypts\r\ndocuments with a user-specified password and often creates a self-extracting (SFX) file for ease of decrypting the\r\nfile to recipients. When sending the SFX file with a password by email, senders usually rename the file extension\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/\r\nPage 7 of 10\n\nfrom .exe to something else to avoid blocking or detecting the attachment by an email gateway or security\r\nproduct. The adversary may know Japanese enterprise users exchange these emails in such a way and crafts the\r\nspearphishing email in the same manner.\r\nIn addition to the social engineering email technique, the attacker also employs a trick to the attachment. The actor\r\nembedded malicious code to a resource section of the legitimate SFX file created by a file encryption tool, and\r\nmodified the entry point of the program for jumping to the malicious code soon after the SFX program starts. The\r\nmalicious code drops HomamDownloader, then jumps back to the regular flow in the CODE section, which in\r\nturn asks the user the password and decrypts the file. Therefore, once a user executes the attachment and sees the\r\npassword dialog on SFX, the downloader dropped by the malicious code starts working even if the user chooses\r\nthe Cancel on the password window. Should the user become aware of the infection later, it may be difficult to\r\nfind the cause due to the fact that the original embedded file contained within the SFX is benign.\r\nFigure 8 Execution flow of Patched SFX file\r\nConclusion\r\nTick was spotted last year, but they are actively and silently attacking various organizations in South Korea and\r\nJapan for a number of years. While some of the group’s tools, tactics, and procedures (TTPs) have been covered\r\nwithin this article, it is likely there is much that still remains uncovered.\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/\r\nPage 8 of 10\n\nPalo Alto Networks customers are protected by these threats in the following ways:\r\n1. All samples discussed are classified as malicious by the WildFire sandbox platform.\r\n2. All identified domains have been classified as malicious.\r\n3. AutoFocus users can track the malware described in this report using Tick campaign tag and various\r\nmalware tags.\r\n4. Customers running Traps are protected from the discussed threats.\r\nIndicator of compromise\r\nSHA256\r\nDaserf\r\n04080fbab754dbf0c7529f8bbe661afef9c2cba74e3797428538ed5c243d705a\r\nf8458a0711653071bf59a3153293771a6fb5d1de9af7ea814de58f473cba9d06\r\ne8edde4519763bb6669ba99e33b4803a7655805b8c3475b49af0a49913577e51\r\n21111136d523970e27833dd2db15d7c50803d8f6f4f377d4d9602ba9fbd355cd\r\n9c7a34390e92d4551c26a3feb5b181757b3309995acd1f92e0f63f888aa89423\r\nInvader\r\n0df20ccd074b722d5fe1358b329c7bdebcd7e3902a1ca4ca8d5a98cc5ce4c287\r\ne9574627349aeb7dd7f5b9f9c5ede7faa06511d7fdf98804526ca1b2e7ce127e\r\n57e1d3122e6dc88d9eb2989f081de88a0e6864e767281d509ff58834928895fb\r\n9002\r\n933d66b43b3ce9a572ee3127b255b4baf69d6fdd7cb24da609b52ee277baa76e\r\n2bec20540d200758a223a7e8f7b2f98cd4949e106c1907d3f194216208c5b2fe\r\n055fe8002de293401852310ae76cb730c570f2037c3c832a52a79b70e2cb7831\r\nMinzen\r\n797d9c00022eaa2f86ddc9374f60d7ad92128ca07204b3e2fe791c08da9ce2b1\r\n9374040a9e2f47f7037edaac19f21ff1ef6a999ff98c306504f89a37196074a2\r\n26727d139b593486237b975e7bdf93a8148c52d5fb48d5fe540a634a16a6ba82\r\nNamelessHdoor\r\ndfc8a6da93481e9dab767c8b42e2ffbcd08fb813123c91b723a6e6d70196636f\r\nGh0stRAt Downloader\r\nce47e7827da145823a6f2b755975d1d2f5eda045b4c542c9b9d05544f3a9b974\r\ne34f4a9c598ad3bb243cb39969fb9509427ff9c08e63e8811ad26b72af046f0c\r\nCustom Gh0st\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/\r\nPage 9 of 10\n\n8e5a0a5f733f62712b840e7f5051a2bd68508ea207e582a190c8947a06e26f40\r\nDatper\r\n7d70d659c421b50604ce3e0a1bf423ab7e54b9df361360933bac3bb852a31849\r\nHomamDownloader\r\na624d2cd6dee3b6150df3ca61ee0f992e2d6b08b3107f5b00f8bf8bcfe07ebe7\r\nC2\r\nlywjrea.gmarketshop[.]net\r\nkrjregh.sacreeflame[.]com\r\npsfir.sacreeflame[.]com\r\nlywja.healthsvsolu[.]com\r\nphot.healthsvsolu[.]com\r\nblog.softfix.co[.]kr\r\nnews.softfix.co[.]kr\r\nwww.gokickes[.]com\r\nlog.gokickes[.]com\r\nsansei.jpn[.]com\r\nSource: https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/\r\nhttps://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MISPGALAXY", "Malpedia" ], "references": [ "https://researchcenter.paloaltonetworks.com/2017/07/unit42-tick-group-continues-attacks/" ], "report_names": [ "unit42-tick-group-continues-attacks" ], "threat_actors": [ { "id": "f8dddd06-da24-4184-9e24-4c22bdd1cbbf", "created_at": "2023-01-06T13:46:38.626906Z", "updated_at": "2026-04-10T02:00:03.043681Z", "deleted_at": null, "main_name": "Tick", "aliases": [ "G0060", "Stalker Taurus", "PLA Unit 61419", "Swirl Typhoon", "Nian", "BRONZE BUTLER", "REDBALDKNIGHT", "STALKER PANDA" ], "source_name": "MISPGALAXY:Tick", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "54e55585-1025-49d2-9de8-90fc7a631f45", "created_at": "2025-08-07T02:03:24.563488Z", "updated_at": "2026-04-10T02:00:03.715427Z", "deleted_at": null, "main_name": "BRONZE BUTLER", "aliases": [ "CTG-2006 ", "Daserf", "Stalker Panda ", "Swirl Typhoon ", "Tick " ], "source_name": "Secureworks:BRONZE BUTLER", "tools": [ "ABK", "BBK", "Casper", "DGet", "Daserf", "Datper", "Ghostdown", "Gofarer", "MSGet", "Mimikatz", "Netboy", "RarStar", "Screen Capture Tool", "ShadowPad", "ShadowPy", "T-SMB", "down_new", "gsecdump" ], "source_id": "Secureworks", "reports": null }, { "id": "d4e7cd9a-2290-4f89-a645-85b9a46d004b", "created_at": "2022-10-25T16:07:23.419513Z", "updated_at": "2026-04-10T02:00:04.591062Z", "deleted_at": null, "main_name": "Bronze Butler", "aliases": [ "Bronze Butler", "CTG-2006", "G0060", "Operation ENDTRADE", "RedBaldNight", "Stalker Panda", "Stalker Taurus", "Swirl Typhoon", "TEMP.Tick", "Tick" ], "source_name": "ETDA:Bronze Butler", "tools": [ "8.t Dropper", "8.t RTF exploit builder", "8t_dropper", "9002 RAT", "AngryRebel", "Blogspot", "Daserf", "Datper", "Elirks", "Farfli", "Gh0st RAT", "Ghost RAT", "HOMEUNIX", "HidraQ", "HomamDownloader", "Homux", "Hydraq", "Lilith", "Lilith RAT", "McRAT", "MdmBot", "Mimikatz", "Minzen", "Moudour", "Muirim", "Mydoor", "Nioupale", "PCRat", "POISONPLUG.SHADOW", "Roarur", "RoyalRoad", "ShadowPad Winnti", "ShadowWali", "ShadowWalker", "SymonLoader", "WCE", "Wali", "Windows Credential Editor", "Windows Credentials Editor", "XShellGhost", "XXMM", "gsecdump", "rarstar" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434379, "ts_updated_at": 1775792173, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/80ffb5ab6a8a5f2ce5a02f10a8b131b48d5b0672.pdf", "text": "https://archive.orkl.eu/80ffb5ab6a8a5f2ce5a02f10a8b131b48d5b0672.txt", "img": "https://archive.orkl.eu/80ffb5ab6a8a5f2ce5a02f10a8b131b48d5b0672.jpg" } }